Hi MIG,
I use the same Google Authentication PAM module which most everyone else uses (on Linux) , and I'm OK with it.
sudo apt install libpam-google-authenticaton
This is a well established PAM lib enabled by adding the following to the end of the /etc/pam.d/sshd
file
...
auth required pam_google_authenticator.so
and then we simply modify the /etc/ssh/sshd_config
file as follows:
...
ChallengeResponseAuthentication yes
...
and then we restart sshd
:
sudo systemctl restart sshd.service
and run:
google-authenticator
in the user account which sets everything up for the user and we add the details to the Google Authenticator app.
This is well established and well documented on the net.
I was going to use Symantec VIP Access but those libs are not freely available for the server side.
I'm not worried about the integrity of this method.
I am only concerned about how to pass the 2FA token in a cron file for rsync
and so I asked if anyone had done the same, as I could not find anyone (on the net) who has passed the 2FA token and the password using rsync
in cron.
It's not a big deal, as I can set up a user for only rsync
and use pam_succeed_if.so
to permit that user account to bypass 2FA, but I was looking for a solution to pass the 2FA token instead of bypassing for a single user on the server as we do with sshpass
in this example:
/usr/bin/rsync -qpavzh --rsh="/usr/bin/sshpass -f '/var/local/.secure' ssh -o StrictHostKeyChecking=no -l user" user@myserver.com:/var/data/dumps/ /var/data/dumps/
But so far, I cannot find a solution by someone else who has done with this rsync
and libpam-google-authentication
.
I'm OK with having a special, restricted userid which bypasses 2FA; but I would prefer not to do this and send the 2FA token along with the username and password in the rsync
cron script. That's way I asked "has anyone else done this" and posted the rsync
example.